Cyber Policy and Strategy Planner

Cyber Policy and Strategy Planner
Work Role ID: OV-SPP-002
Develops and maintains cybersecurity plans, strategy, and policy to support and align with organizational cybersecurity initiatives and regulatory compliance.
Category: Oversee and Govern
Specialty Area: Strategic Planning and Policy

Abilities

A0003: Ability to determine the validity of technology trend data.
A0033: Ability to develop policy, plans, and strategy in compliance with laws, regulations, policies, and standards in support of organizational cyber activities.
A0037: Ability to leverage best practices and lessons learned of external organizations and academic institutions dealing with cyber issues.

Knowledge

K0001: Knowledge of computer networking concepts and protocols, and network security methodologies.
K0002: Knowledge of risk management processes (e.g., methods for assessing and mitigating risk).
K0003: Knowledge of laws, regulations, policies, and ethics as they relate to cybersecurity and privacy.
K0004: Knowledge of cybersecurity and privacy principles.
K0005: Knowledge of cyber threats and vulnerabilities.
K0006: Knowledge of specific operational impacts of cybersecurity lapses.
K0070: Knowledge of system and application security threats and vulnerabilities (e.g., buffer overflow, mobile code, cross-site scripting, Procedural Language/Structured Query Language [PL/SQL] and injections, race conditions, covert channel, replay, return-oriented attacks, malicious code).
K0127: Knowledge of the nature and function of the relevant information structure (e.g., National Information Infrastructure).
K0146: Knowledge of the organization's core business/mission processes.
K0168: Knowledge of applicable laws, statutes (e.g., in Titles 10, 18, 32, 50 in U.S. Code), Presidential Directives, executive branch guidelines, and/or administrative/criminal legal guidelines and procedures.
K0234: Knowledge of full spectrum cyber capabilities (e.g., defense, attack, exploitation).
K0248: Knowledge of strategic theory and practice.
K0309: Knowledge of emerging technologies that have potential for exploitation.
K0311: Knowledge of industry indicators useful for identifying technology trends.
K0313: Knowledge of external organizations and academic institutions with cyber focus (e.g., cyber curriculum/training and Research & Development).
K0335: Knowledge of current and emerging cyber technologies.
K0624: Knowledge of Application Security Risks (e.g. Open Web Application Security Project Top 10 list)

Skills

S0176: Skill in administrative planning activities, to include preparation of functional and specific support plans, preparing and managing correspondence, and staffing procedures.
S0250: Skill in preparing plans and related correspondence.

Tasks

T0074: Develop policy, programs, and guidelines for implementation.
T0094: Establish and maintain communication channels with stakeholders.
T0222: Review existing and proposed policies with stakeholders.
T0226: Serve on agency and interagency policy boards.
T0341: Advocate for adequate funding for cyber training resources, to include both internal and industry-provided courses, instructors, and related materials.
T0369: Ensure that cyber workforce management policies and processes comply with legal and organizational requirements regarding equal opportunity, diversity, and fair hiring/employment practices.
T0384: Promote awareness of cyber policy and strategy as appropriate among management and ensure sound principles are reflected in the organization's mission, vision, and goals.
T0390: Review/Assess cyber workforce effectiveness to adjust skill and/or qualification standards.
T0408: Interpret and apply applicable laws, statutes, and regulatory documents and integrate into policy.
T0425: Analyze organizational cyber policy.
T0429: Assess policy needs and collaborate with stakeholders to develop policies to govern cyber activities.
T0441: Define and integrate current and future mission environments.
T0445: Design/integrate a cyber strategy that outlines the vision, mission, and goals that align with the organization's strategic plan.
T0472: Draft, staff, and publish cyber policy.
T0505: Monitor the rigorous application of cyber policies, principles, and practices in the delivery of planning and management services.
T0506: Seek consensus on proposed policy changes from stakeholders.
T0529: Provide policy guidance to cyber management, staff, and users.
T0533: Review, conduct, or participate in audits of cyber programs and projects.
T0537: Support the CIO in the formulation of cyber-related policies.

Capability Indicators

Capability Indicators for Cyber Policy and Strategy Planner
Category	Entry	Intermediate	Advanced
Credentials/Certifications	Recommended: Yes Example Types: Certifications addressing analysis, assessment, control, mitigation and management of risk within a federal management and acquisition framework containing personal data; identifying, implementing and integrating management, acquisition and administrative risk methodologies for securing critical and sensitive information infrastructures, strategic planning (how to plan the plan, historical analysis, horizon analysis, visioning, environmental scans [SWOT, PEST, porters etc.], mission, vision, and value statements), planning to ensure institutional effectiveness, security policy development (policy establishes bounds for behavior, policy empowers users to do the right thing, should and shall, policy, policy versus procedure, policy needs assessment processes, organizational assumptions, beliefs and values (ABVs), relationship of mission to policy, organizational culture, comprehensive security policy assessment (using the principles of psychology to implement policy, applying the SMART method to policy, how policy protects people, organizations and information, case study, the process to handle a new risk, behavior-related polices, acceptable use, ethics, warning banners, policy development process, policy review and assessment process, wrap-up), leadership and management competencies (leadership building blocks, coaching and training, change management, team development, motivating, developing the vision, leadership development, building competencies, importance of communication, self-direction, brainstorming, relationship building, teamwork concepts, leader qualities, leadership benefits), access control theory, Mitnick-Shimomura attack, network addressing, network fundamentals, network mapping and scanning, network protocol, vulnerability management overview, vulnerability scanning, web application security, windows automation, auditing and forensics, hotfixes and backups, active directory and group policy overview, wireless security, info privacy technology, privacy program governance (organization level, develop the privacy program framework, implement the privacy policy framework, metrics) privacy operation lifecycle (assess your organization, protect, sustain, respond), program management, disciplined, data-driven approach and methodology for eliminating defects Example Topics: N/A	Recommended: Yes Example Types: N/A Example Topics: Certifications addressing information privacy technology, privacy program governance (organization level, develop the privacy program framework, implement the privacy policy framework, metrics) privacy operation lifecycle (assess your organization, protect, sustain, respond), program management, risk management, categorization of information systems, selection of security controls, security control implementation and assessment, information system authorization, monitoring of security controls, understand basic cybersecurity concepts and definitions, apply cybersecurity architecture principles, identify components of a cybersecurity architecture, define network security architecture concepts including (topology, protocols, components, principles), understand malware analysis concepts and methodology, recognize the methodologies and techniques for detecting host-and-network-based intrusions via intrusion detection technologies, identify computer network defense and vulnerability assessment tools, including open source tools and their capabilities, understand system hardening, apply penetration testing principles, tools, and techniques, define network systems management principles, models, methods, and tools, understand remote access technology and systems administration concepts, distinguish system and application security threats and vulnerabilities, recognize system lifecycle management principles, including software security and usability, local specialized system requirements for safety, performance, and reliability, types of incidents (categories, responses, and timelines for responses), disaster recovery and business continuity planning, incident response and handling methodologies, security event correlation tools, how different file types can be used for atypical behavior, investigative implications of hardware, operating systems, and network technologies, as well as basic concepts, practices, tools, tactics, techniques, and procedures for processing digital forensic data, network traffic analysis methods recognize new and emerging information technology and information security technologies including (the current threat landscape, mobile devices, cloud computing and storage), project management (initiating, planning executing, monitoring and controlling, closing), business continuity and disaster recovery, security and risk management, asset security, security engineering, communications and network security, identity and access management, security assessment and testing, security operations, network security, security policy and awareness, systems and application security, information security governance, and Balance Score Card Indicator (BSI)	Recommended: Yes Example Topics: Certifications addressing security and risk management, asset security, security engineering, communications and network security, identity and access management, security assessment and testing, security operations, software development security, authentication, authorization, and accountability, cryptography foundations, information security and risk management principles, network foundations, information security governance, security program development and management, incident management, BSI (Balance Score Card Indicator)
Continuous Learning	Recommended: Yes Examples: Involvement with policy, legislation, government/agency-wide policy groups (CNNS, NIST)	Recommended: Yes Examples: 40 hours annually (may include policy lifecycle, communications)	Recommended: Yes Examples: 40 hours annually (leading change, leading people, business acumen, building coalitions)
Education	Recommended: Yes Example Types: Bachelor's, M.B.A., J.D. Example Topics: IT security management, IT management, information security, political science, business management, communications, public administration with cybersecurity experience	Recommended: Yes Example Types: Bachelor's, M.B.A., J.D. Example Topics: IT security management, IT management, information security, political science, business management, communications, public administration with cybersecurity experience	Recommended: Yes Example Types: Master's, Ph.D. Example Topics: IT security management, IT management, information security, political science, business management, communications, public administration with cybersecurity experience
Experiential Learning	Recommended: No Examples: N/A	Recommended: Yes Examples: Prior Information security experience	Recommended: Yes Examples: Prior Information security experience
Training	Recommended: N/A Example Types: N/A Example Topics: N/A	Recommended: N/A Example Types: N/A Example Topics: N/A	Recommended: N/A Example Types: N/A Example Topics: N/A

The NICE Framework data presented on these pages was last updated by NIST on July 7, 2020 and will be updated when the official Revision 1 data is released.